Tracing the Crimeware Origins by Reversing Injected Code
Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4:Tracing the Crimeware Origins by Reversing the Injected Code
In this final part we will trace the origins of the ZeroAccess rootkit. We will discover that the purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. We will also see that ZeroAccess is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the antivirus. It could be used to delivery any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).
Let’s take a look at the max++ DLL. It is injected into other processes address space by the kernel mode driver reversed in Part 3. Here are the hashes for this DLL:
FileSize: 36.00 KB (36864 bytes)
No VersionInfo Available.
max++.00.x86.dll does not have an ET ( Export Table ) entire code is contained into DllEntryPoint() function.
This malicious DLL is injected via APC and ZwAllocateVirtualMemory by the second installed driver. Recall that this driver finds newly loaded processes via PsSetLoadImageNotifyRoutine.
This DLL can be debugged by using OllyDbg 1.10 LoadDLL utility. As this component is the just a small feature of ZeroAccess, we won’t go into as much detail on it as we did with the two drivers and the user-mode agent.
The above ZwTestAlert function tests whether the current thread has been alerted (and clears the alerted flag). It also enables the delivery of queued user APCs. NextDisableThreadLibraryCalls disables the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the DLL. By disabling the notifications, the DLL initialization code is not paged in because a thread is created or deleted, thus reducing the size of the application’s working code set. This use of DisableThreadLibraryCalls increases invisibility for the injected DLL.
The call EAX is placed inside a do-while that updates the value pointed by EAX in iteration. This involves in calling a different routine each time. Let’s look at the next code block:
We see the API call completed. A thread is created, and we can inspect it by reaching the StartAddress argument. This new thread will invoke a couple of calls that will talk to a Command and Control (C&C) server. The C&C server will issue requests to websites that contain code to install further malicious code to be executed on the victim’s machine.
From string analysis we can obtain some valuable information:
All these entries as you can see are placed into the hidden NTFS volume that was analyzed previously. There are also other interesting strings like:
The CLSID encoding is of great help during malware forensics. It can be used to determine univocally malware type and version. A quick search show us that this CLSID belongs to Trojan-Ransom.Win32.Digitala.b which is a downloader Aagent.
The above code blocks are executed if fdwReason is satisfied. Otherwise execution flows to another block of code that essentially acts as a cleanup routine.
This injected DLL serves the purpose of generating web redirections to malicious websites that contain FakeAntivirus software. Fake antivirus software (a.k.a misleading applications or rogue antivirus) is big business nowadays with Symantec reporting 43 million installation attempts from over 250 distinct programs between July 1, 2009, to June 30, 2010. With fake AV software costing the victim anywhere from $30 to $100, this is a lucrative earner for criminals.
The malicious URLs are:
The IP address behind these domains is 220.127.116.11. From www.robtex.com we can see the following graph
AS29073 belongs to Ecatel Network which is a well known crimeware friendly ISP.
Ecatel is infamous for the massive hosting of malware and spambots, the most widely used IPs are:
Detailed information on Ecatel activities can be seen here: http://www.sudosecure.net/archives/333
Often Ecatel was involved into fakeAV campaigns, and ZeroAccess drives to fake software download. From sudosecure.net we see a relation with the well-know cybercrime ring, RBN ( Russian Business Network ).